How Apple and Amazon security flaws led to an epic hacking

On the night of the hack, I tried to make sense of the ruin that
was my digital life. My Google account was nuked, my Twitter
account was suspended, my phone was in a useless state of restore,
and (for obvious reasons) I was highly paranoid about using my .Me
account for communication.

I decided to set up a new Twitter account until my old one could
be restored, just to let people know what was happening. I logged
into Tumblr and posted an account of how I thought the takedown
occurred. At this point, I was assuming that my seven-digit
alphanumeric AppleID password had been hacked by brute force. In
the comments (and, oh, the comments)
others guessed that hackers had used some sort of keystroke logger.
At the end of the post, I linked to my new Twitter account.

And then, one of my hackers @ messaged me. He would later
identify himself as Phobia. I followed him. He followed me
back.

We started a dialogue via Twitter direct messaging that later
continued via e-mail and AIM. Phobia was able to reveal enough
detail about the hack and my compromised accounts that it became
clear he was, at the very least, a party to how it went down. I
agreed not to press charges, and in return he laid out exactly how
the hack worked. But first, he wanted to clear something up:

"didnt guess ur password or use bruteforce. i have my own guide
on how to secure emails."

I asked him why. Was I targeted specifically? Was this just to
get to Gizmodo's Twitter account?
No, Phobia said they hadn't even been aware that my account was
linked to Gizmodo's, that the Gizmodo linkage was just gravy. He
said the hack was simply a grab for my three-character Twitter
handle. That's all they wanted. They just wanted to take it, and
fuck shit up, and watch it burn. It wasn't personal.

"I honestly didn't have any heat towards you before this. i just
liked your username like I said before" he told me via Twitter
Direct Message.

After coming across my account, the hackers did some background
research. My Twitter account linked to my personal website, where
they found my Gmail address. Guessing that this was also the e-mail
address I used for Twitter, Phobia went to Google's account
recovery page. He didn't even have to actually attempt a recovery.
This was just a recon mission.

Because I didn't have Google's two-factor authentication turned
on, when Phobia entered my Gmail address, he could view the
alternate e-mail I had set up for account recovery. Google
partially obscures that information, starring out many characters,
but there were enough characters available, m••••n@me.com.
Jackpot.

This was how the hack progressed. If I had some other account
aside from an Apple e-mail address, or had used two-factor
authentication for Gmail, everything would have stopped here. But
using the .Me e-mail account as a backup meant told the hacker I
had an AppleID account, which meant I was vulnerable to being
hacked.

Comments

Sobering story, and a huge wake-up call. As ever, the quality and security of any process or system is at it's weakest when human decision-making is required. 'Ok Computer?' indeed....

In the first paragraph, I'd personally say the broadcast of racist and homophobic messages on Twitter is 'worst of all'.

George

Aug 7th 2012

In reply to George

YEs, horrifing imagine someone doing something so heinous as hacking your twitter account, I would just like, die with shame.

Dave

Aug 7th 2012

A fascinating and very loud wake up call to the companies behind this. It should be up to the companies not the consumer to ensure that their data is held safely. The companies have asked for this data and therefore it is their responsiblity to hold it securely.

Mostly I was disgusted to read some of the comments on the Tumblr account, fanboys took a whole new meaning on there. Some really awful stuff which shows the darker side of the internet, people would never say those things in person, but behind a keyboard and a faceless screen they can say whatever they want.

Mal

Aug 7th 2012

It makes for grim reading, being a pretty simple to execute hack. However, I'm afraid I lost some sympathy at the part where the MacBook wasn't backed up regularly. I can understand the loss of baby photos being the part of this that really sucks most, so I'm slightly gobsmacked the MacBook wasn't backed up for that length of time. Even without a hack, if the drive in the MacBook had failed - poof - data gone.

Effie

Aug 7th 2012

Would this have been avoided by selling your online world to Android instead of Apple?They don't use credit card authentication... but then again, to reset password for gmail accounts you don't get telephone support who can be tackled with social engineering tricks, but there is also no telepohone support to help fix it when something real bad like this happens...

Squirrel_masher

Aug 7th 2012

Great piece Mat, and written for layman and geek alike consumption. Sorry I came across it so late, I would have loved to have shared it a fortune 100 IT security related board meeting I was part of recently. Although a lot of companies have thrown a lot of money into hardware and software to secure their systems, beyond the basic company-wide 'security awareness' speech, policy, or packet review, there's really nothing that enforces the true need for defense against human engineering. Including the need to really re-think how the entire human equation should factor into the frame-work of IT security as we continue to move forward into this digital age. I hope to read more about this subject from you and WIRED soon. Also, please know you have my deepest condolences for the lost of your personal digital information.

Gina

Oct 2nd 2012

Wow, thanks to this guy I can't buy anything on itunes because i've forgotton my security questions and you can't retrieve them